Heartbleed: A Wakeup Call for Open Source Users (Updated)

I suspect that we'll remember Heartbleed as one of the few security vulnerabilities to have its own logo and URL. But we should remember it for the wake-up call it sounded for users of open-source software (OSS).

Heartbleed, as everyone who hasn't been camping in the wilderness for the past month knows, is a serious vulnerability in the OpenSSL cryptographic software library. OpenSSL is popular and widely used, so the vulnerability, which the Web site states, "allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions," was a big news even outside tech media. We're talking hundreds of thousands of Web servers and products potentially affected. Security analyst Bruce Schneier characterized the seriousness of Heartbleed on his blog this way: "On a scale of one to 10, this is an 11."

The bug was reported to the OpenSSL team by security engineers at Codenomicon, a company that builds software for pre-deployment testing of business-critical products, and Neel Mehta, a researcher on the Google Security team. But it had apparently in the code since 2011. According to the Sydney Morning Herald, the bug was introduced  by a German software developer and OpenSSL code contributor, who missed a bounds check in the handling of the TLS heartbeat extension that could be used to reveal up to 64k of memory to a connected client or server. (Thus the name, "Heartbleed.")

Once they knew about the vulnerability, the OpenSSL guys fixed it, fast-surprisingly fast, given the relatively small size of this particular open source community, which, according to Steve Marquess, president of the OpenSSL Software Foundation, lacks "the manpower levels needed to support such a complex and critical software product."

Writing on his blog, Marquess pointed to funding as a big part of the problem. His organization has been supporting this critical piece of software with about $2,000 a year in "outright donations," as well as some commercial support contracts and "work-for-hire" consulting. In the five years since the foundation was created, it has never taken in more than $1 million in gross annual revenues, he said.

In the week following the Heartbleed disclosures, the foundation received about 200 donations, Marquess said, "along with many messages of support and encouragement." Most of those donations were for between $5 and $10, and they amounted to about $9,000. (You can still donate.)

"Even if those donations continue to arrive at the same rate indefinitely (they won't), and even though every penny of those funds goes directly to OpenSSL team members, it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product," Marquess wrote. "While OpenSSL does 'belong to the people' it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support. The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted."

So the arrival of a badass bug that seemed initially to repudiate the OSS mantra "given enough eyeballs, all bugs are shallow," actually reinforced that notion, while raising some serious questions about the true responsibility of OSS users. I like the way Bruno Borges, principal product manager for Oracle Fusion Middleware in Latin America, put it on his blog. Although, he acknowledges, the developer and QA have responsibilities here, it is "The whole IT industry (companies and developers of all kind; FOSS or not) who uses OpenSSL for free but does not pay anything for it, and although being Open Source, don't look at it, don't review commits. Just expect it to work without bugs. These are the most to be blamed. (including myself)"

Jonas Falck, CEO and co-founder of Halon Security, weighed in on the subject in an e-mail: "The Open Source community has received a bad rap for the OpenSSL exposure," he wrote, "but the community has rallied together to patch the issue quickly. If anything, the Heartbleed issue has shown how reliant the Internet as a whole is on Open Source, so if corporations can give back to the Open Source community after taking advantage of OpenSSL for so long, there will be more eyeballs spotting vulnerabilities earlier in the future."

Crowdsourcing platform Bugcrowd has initiated a clever, if short-term solution to the Heartbleed problem with a Crowdtilt crowdfunding campaign to secure OpenSSL.

As cool as that campaign is (very cool), it's doesn't address the underlying problem. I thought Walker White, CTO of BDNA, which makes the Technopedia categorized repository of information on enterprise software and hardware, summed up the situation nicely during a recent conversation. (His company uses the repository to put all the hardware and software assets within an organization into a common, easily taxonomy.)

"It's the money-for-nothing syndrome," Walker said, "and it's not just OpenSSL. You have all these great products-Tomcat, Maven, Gradle, Jenkins, Git, all these development tools and frameworks. It is truly incredible what the open-source community has done. But vendors can't treat open source as something they can just plug in. We have to take responsibility for it-especially vendors who are embedding it into commercial solutions-and not just punt to the community when something goes wrong."

Shortly after I filed this story, news broke that the Linux Foundation is launching a three-year, multi-million-dollar project to fund open source projects that are "in the critical path for core computing and Internet functions-including OpenSSL. The funds for the project, called The Core Infrastructure Initiative, will be administered by the Linux Foundation and a steering group made up of backers of the project and "key open source developers and other industry stakeholders." Support will come in the form of funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination, and other support, the foundation said.

"We are expanding the work we already do for the Linux kernel to other projects that may need support," said Jim Zemlin, executive director of The Linux Foundation, in a statement. "Our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100 percent on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders' commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL."

Along with the Linux Foundation, the list of "founding backers" of this effort includes Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware.

Posted by John K. Waters on 04/28/2014 at 5:02 PM0 comments

Crowdsourcing Application Development

Back in January I talked with Eric Knipp, who manages Gartner's Application Platform Strategies research team, about some of the opportunities and challenges he saw on the horizon for application developers. During that conversation, he mentioned an intriguing idea that he was exploring: That crowdsourcing could be much more useful to enterprise app dev organizations than most people currently recognize.

That exploration is complete and Knipp's conclusions and recommendations are laid out in a new Gartner white paper, aptly entitled "Use Crowdsourcing as a Force Multiplier in Application Development."

Gartner defines crowdsourcing as "the processes of sourcing a task or challenge to a broad, distributed set of contributors using the Web and social collaboration techniques." Think Netflix Prize or XPrize, or on smaller-scope piecework, Amazon or Mechanical Turk. As Knipp puts it, it is a call for a custom application solution from an external developer community, the members of which expect to earn financial or reputational awards.

The competitive aspect is somewhat similar to open source, which Knipp calls "an important ancestor" to crowdsourcing, and communities do develop around crowdsourcing environments, but the dynamic is dramatically different. Where open source attracts committers, crowdsourcing attracts competitors.

"Most of the time, when you're working on open source, it's something that you want to use personally," Knipp told me. "I'm contributing to Docker, say, because I use it and I found a bug that I want fixed, or there's a feature I want to add to make it better for me and everyone else who uses it. But on the crowdsourcing side, for the most part, this thing that you're building is for a specific purpose and the ownership of the code goes to the sponsor. You're trying to win that contest, get that prize, get invited into private contests, and maybe even get a job. These are two very different sets of motivations, even though both have a community aspect."

Applying crowdsourcing to enterprise application development is about harnessing parts of the open-source model -- the competitive spirit, the application of multiple solutions to a problem -- and folding them into a business model that helps the enterprise do meaningful work, Knipp explained.

It also opens up a new leadership role for application architects as coordinators of "the activities of cutting-edge developers in a free market for technical talent," Knipp said. This model allows app architects "to apply the cloud operating model (scalable and elastic, shared, service-based, metered and delivered using Internet technologies) to the development and delivery of custom software."

Why turn to external sources for internal innovation? Because of the pressure on app dev organizations to leverage a broader set of experience and domain expertise than they have in-house to compete in a world sent into warp-speed competition by cloud, mobile and social trends.

Small or midsize businesses (SMBs) and startups have found successes with mobile and modern Web applications through crowdsourcing, Knipp said. But he insists that larger enterprises can also take advantage of this model. One secret of the SMBs success: applying crowdsourcing to greenfield application development, rather than extending or modernizing existing systems. Also, they tend to focus on the design, coding, and testing disciplines in the software development life cycle (SDLC).

Once the decision to crowdsource is made, Knipp said, the next most important choice facing an organization is which platform to use. The crowdsourcing process is mediated by platforms that connect the sponsoring companies with the competitors, and picking the right one is critical. Currently, most of the platform providers specialize in one phase of the SDLC. DesignCrowd, crowdSpring, and 99designs, for example, focus on the design phase, while uTest, Passbrains, and BugFinders focus on validating code and cross-platform functionality. Only one provider, TopCoder, offers a soup-to-nuts crowdsourcing platform. Knipp expects that situation to change as more enterprises recognize the value of crowdsourcing.

Knipp has a lot more to say on this subject in this must-read white paper. Highly recommended.

Posted by John K. Waters on 04/17/2014 at 4:56 PM0 comments

Apache Olingo Java Library Graduates to Top-Level Project

On Tuesday, the Apache Software Foundation (ASF) sent out a graduation announcement of sorts. The Apache Olingo project, which provides generic Java and JavaScript libraries designed to implement the OASIS Open Data Protocol (OData), has had a status upgrade from Incubator to Top-Level-Project (TLP).

Olingo is a standardized protocol for creating and consuming data APIs. By implementing OData, which is REST-based and uses HTTP, AtomPub and JSON, Olingo is able to use uniform resource identifiers (URIs) to connect with feed resources. The aim is to simplify the querying and sharing of data across disparate apps in the enterprise, the cloud, and on mobile devices. Using OData makes it possible for Olingo to provide a uniform way to expose full-featured data APIs.

Olingo works with browser-based used interfaces, which use it to query data on servers. But it's also used to synch data to mobile devices and exchange data among server systems. Olingo is part of the technical foundation of SAP's NetWeaver Gateway technology and other enterprise solutions.

Olingo extensions contain additional features, such as the support of Java Persistence API (JPA) or annotated bean classes. The project's documentation, wiki and tutorials highlight several examples of implementing a custom OData service, including a sample Web application built with Apache Maven that can be deployed to any Java Platform, Enterprise Edition (JEE)-compliant Web application server, such as Apache Tomcat.

Olingo joined the Apache Incubator in July 2013 with a combination of Java server libraries for OData 2.0 provided by SAP, and Java client libraries for OData 3.0 and JavaScript libraries for OData 3.0 from Microsoft's Open Technologies group (MS Open Tech). Since joining the incubator, the Olingo project has produced three releases, which resulted from the work of 20 individual contributors responsible for 495,107 lines of code and 1,102 commits.

"OData v4 recently became an OASIS standard that is increasingly opening up data for an open Web," said Eduard Koller, senior program manager at MS Open Tech, in a statement. "Apache Olingo is open source software to aid in the production of OData v4.0 clients and servers in both Java and JavaScript. The project brings together several companies and community developers and we look forward to welcoming more users and contributors to the community."

Acceptance as a TLP, which is based on a voting process within the organization, means that Olingo has won a place among such projects as the Apache HTTP Server, the Tomcat Java app server, Hadoop, the Lucene search engine and OpenOffice. Graduation, as the Foundation puts it, signifies "that the project's community and products have been well-governed under the ASF's meritocratic process and principles." Every Apache TLP has a project management committer (PMC) and a chair. An incubator project could also graduate to a subproject of an existing TLP.

The ASF's Incubator is a temporary container project that is the official gateway to mainstream Foundation activity. All potential Apache projects start in the Incubator, which gives the Foundation a chance to scrutinized them, make sure they meet the ASF's legal standards (it's a 501(c)3 non-profit organization), and help them to adopt Apache procedures.

Posted by John K. Waters on 04/09/2014 at 9:04 AM0 comments

JCache, Longest Running Java Spec, Finally Ready

News about Java Specification Requests (JSRs) don't usually make it to the front page, but the announcement that JSR-107, the spec request for a Java Temporary Caching API, better known as JCache, has earned final approval should be top-of-the-fold news -- if for no other reason than the time it took to get there.

The JCache project summary explains that the spec standardizes in-process caching of Java objects "in a way that allows an efficient implementation, and removes from the programmer the burden of implementing cache expiration, mutual exclusion, spooling, and cache consistency."

JSR-107 was the longest running spec request in the history of Java and the Java Community Process (JCP). The JSR-107 Expert Group was formed in 2001. But the spec languished for about a decade until Oracle and Terracotta teamed up and began pushing to get the spec into Java EE 7. Terracotta implemented a version of the JCache spec in Ehcache, a widely deployed open-source Java caching solution the company acquired in 2009. But JCache didn't make it into the Java EE 7 release.

"JCache provides a well thought out, standardized API and programming contract for Java caching," said Greg Luck, Hazelcast CTO and co-author of the JCache spec, in a statement. Luck left Terracotta earlier this year to join Hazelcast, which develops, distributes and supports a leading open source in-memory data grid (IMDG). The product, also called Hazelcast, is licensed under an Apache license that allows developers to include the grid in their applications. The company also provides a commercially licensed Hazelcast Enterprise edition, as well as a management and deployment console called Hazelcast Management Center.

Hazelcast is set to release a production class implementation of JCache, Luck told ADTmag in an e-mail. He plans to continue to his work on JCache, "taking up a co-maintenance lead role" in the spec. "Hazelcast plans to deeply bake in JCache, so that Hazelcast is standards based and may be used for caching without vendor lock-in," Luck said.

Hazelcast's senior solution architect Chris Engelbert also severs on the JCache expert group. Oracle's Brian Oliver and Cameron Purdy also serve as spec leads on the JSR.

Last year, Gartner predicted that in-memory computing is "racing toward mainstream adoption." The analyst firm expected the relatively small IMDG subset of the in-memory computing market (IMC) to grow fast and to reach $1 billion by 2016.

Yet Forrester Research analyst Mike Gualtieri now suggests that JCache may be arriving in an environment populated with products featuring their own in-memory database engines that may eliminate or delay the need among some companies for a caching grid. "The primary use case for in-memory caching is to speed up applications that get bogged down by slower database bottlenecks," Gualtieri said. "A hot trend among the database vendors, such as SAP Hana and Microsoft SQL Server 14, is in-memory capabilities that dramatically speed up database access. These databases aren't just using more memory for old-school indexes of record caching. They have added in-memory database engines that take advantage of the hardware characteristics of RAM. Also, distributed NoSQL databases, such as MongoDB, can perform very well and have the same distributed architecture as Hazelcast and Terracotta."

Posted by John K. Waters on 03/25/2014 at 6:20 PM0 comments

EclipseCon 2014: Java 8 Support, Flux Integrates Orion

The big news at the latest edition of EclipseCon North America, which wrapped up in San Francisco on Thursday, was Oracle's Java 8 announcements. The conference planners devoted an entire day at the show to Java 8 (George Saab's opening presentation on "Java Day" was standing room only). The Foundation itself is providing Java 8 language support as an add-on to the Eclipse IDE.

"We're pretty excited about the Java 8 language support for Eclipse Kepler (the latest version from last June's the release train)," Eclipse Foundation Executive Director Mike Milinkovich told me in an earlier interview. "The Eclipse Java development tools team has done a great job adding Java 8 support to the IDE, including a formatter, code completion, code navigation, search and indexing, a reconciler, and incremental builder support for all of Java 8. I think that the quick assist support for migrating anonymous classes to lambda expressions will be particularly popular with Java developers as they migrate their code."

During his conference keynote, Milinkovich talked about another Eclipse project that should get at least a bit of shine from the Java 8 spotlight: the Flux project. Formerly called Project Flight, Flux aims to design and implement a new architecture and infrastructure for integrating development tools across the desktop, browsers, and servers. As the project page describes it, "The goal is to provide an extremely flexible platform and infrastructure that allows new cloud-based tooling components to be built highly decoupled from each other and that bridges the gap to existing desktop IDEs at the same time."

This project is all about cloud-based developer tooling, and its initial focus is Java and JavaScript tooling implemented by re-using parts of JDT (the tool plug-ins that implement a Java IDE) and the Eclipse Orion browser-based development platform. The Orion client is written in JavaScript and runs in the browser. Other services for other languages to follow, Milinkovich said.

But accomplishing this goal also involves providing connectors to such desktop dev tools as the Eclipse IDE, IntelliJ IDEA, NetBeans, and even plain text editors. This project will be distributed under both the Eclipse Distribution License and the Eclipse Public License, and it'll be hosted on GitHub.

The Flux Project is being led by Pivotal's Martin Lippert. He leads the Spring Tool Suite at Pivotal, which made the initial Flux code contribution. Pivotal spun off from EMC's VMware in 2012.

Milinkovich said he expected Orion, which was contributed to the Eclipse open source community by IBM, to become an increasingly important dev environment. The Flux integration of the Web-based tools of Orion with the desktop tools of Eclipse will give developers "the ability to use the right tools to work on their code, wherever they are," Milinkovich said. "They can use Orion to work on code on their tablet, or in an environment where a Web-based browser is the right way to go."

Milinkovich's keynote was entitled "Eclipse: The Next 10 Years." His talk covered a bit of Eclipse history and then he pulled out his crystal ball to make a few predictions about trends that will affect developers in the future. The Flux Project underscores the growing importance of the cloud, but what topped his list is the overall ascendance of software, which, thanks to the explosion of code bases, is quickly becoming the most important element of the enterprise. An example, he pointed to the Airbus Aircraft, whose planes use four times more onboard code than they did three years ago. Next on his list: the Internet of Things (IoT), which is definitely the next big thing for developers, he said. He pointed out that the Foundation currently has 14 projects in the IoT space, with more are on the horizon.

Posted by John K. Waters on 03/21/2014 at 9:25 AM0 comments

Java SE 8 Is Almost Here, and Lambda Is the Star

The delays are over, the final approvals are in, and the general availability release of the Java Platform, Standard Edition, 8 (Java SE 8) is right around the corner. What has been called a revolutionary upgrade of one of the world's leading software development platforms is due on March 18. Mark Reinhold, chief architect in Oracle's platform group, has described Java SE 8 as the largest ever upgrade in the history of Java, covering the programming model, as well as a "carefully coordinated co-evolution" of the virtual machine, the language, and the libraries.

This release incorporates several high-profile Java Specification Requests (JSRs), the most talked about of which is JSR 335, Project Lambda. Originally planned for the Java SE 7 release, but pushed back, Project Lambda extends support in the Java language and core libraries to enable the Java SE APIs to use lambda expressions (closures), which are anonymous functions.

Reinhold has called the support for lambda expressions in this release the single largest upgrade to the programming model, ever. Mike Milinkovich, executive director of the Eclipse Foundation, calls it a massive change of the Java language, libraries, and JVM.

"Without a doubt the most important new feature in Java 8 is lambdas," Milinkovich told ADTmag. "This is a sweeping change that modernizes the language, allows for a much more readable syntax, allows for better code generation, and helps the JVM make much better use of multicore processors. Inner classes were always a hack, and having proper closures in the Java language has been a missing feature for a very long time."

The Foundation is releasing Java 8 language support as an add-on to the Eclipse IDE at next week's EclipseCon. That add-on includes a formatter, a code completion feature, code navigation, search and indexing, a reconciler, incremental builder support, and "quick assist" support for migrating anonymous classes to lambda expressions. "I think [that feature] will be particularly popular with Java developers as they migrate their code," Milinkovich said.

Using lambda expressions will, among other things, make it easier for developers to write code for multicore processors. But on a more fundamental level, lambda expressions introduce the idea of functions from lambda calculus into the Java language, making the Java SE 8 release look like a step toward functional programming. The functional paradigm, which emphasizes the evaluation of expressions, rather than the execution of commands, and essentially eliminates the need for program state by expressing all computations in the form of functions that take arguments and return values, is used by such modern JVM languages as Groovy, Scala, and Clojure.

The lambda support in Java SE 8 alone makes it an important milestone for the language and platform, said IDC analyst Al Hilwa, but it's one of several changes that represents significant new functionality in this release.

"There are a variety of interesting things in SE 8, like the Streams API focused on parallel processing large data sets, Project Nashorn's faster JavaScript engine, and of course implementing Lambda expressions," Hilwa said. "These are significant changes to the language that will have a long-term impact as we shift into a highly parallel world populated with multi-core devices and big data. To see the team do this while simultaneously investing heavily in securing the platform in the face of escalating malware attacks everywhere is a huge achievement."

The list of new features in this also includes the new Date/Time API (JSR 310), Type Annotations (JSR 308), and a set of Compact Profiles, which allow Java SE 8 implementations to scale down easily.

One prominent Java initiative, Project Jigsaw, hasn't been included in this release. The Java-native module system is expected in Java SE 9.

"Generally, programming languages evolve slowly and with great focus on stability," Hilwa observed, "because the code has to continue to run for decades. Meanwhile, new innovations have to be accommodated, and so Java's governance model allows it to be evolved and adapt to new innovation, and this is what we are seeing here."

Oracle is hosting a live Java 8 Launch Webcast on March 25.

Posted by John K. Waters on 03/12/2014 at 10:35 AM0 comments

Adopt-a-JSR and Java SE 8

The long awaited, much anticipated release of Java SE 8 is nearly upon us. March 18th is the official release date, though numerous "launches" and other events will follow. A lot of work went into this release, with contributions coming from many quarters -- including Java User Groups (JUGs) around the world who participated in the Adopt-a-JSR program.

The Java Community Process (JCP), which manages the development of standard technical specifications for Java technology, launched the program in December 2011. Adopt-a-JSR encourages individual members of the Java community -- average developers working with Java day-to-day -- to "adopt" a Java Specification Request (JSR) by following its progress, supporting its expert group, reporting back to the wider community on its progress, and evangelizing its benefits.

The program aims to get JUGs involved in the Java standards process, and through those organizations, to promote "grass roots, developer-level participation in existing and emerging Java standards," the JCP says. The idea it to generate "earlier feedback, leading to more developer-friendly APIs;" "end user/developer expert input;" and to get the developer community to do more of "the heavy lifting."

To get that level of participation, the organization turned to the London Java Community (LJC) with the idea. LJC members Martijn Verburg and Ben Evans got the ball rolling, and the JCP considers the program to be "JUG-led."

"This is one of the best things to happen to the [JCP]," JCP chair Patrick Curran told ADTmag in a recent interview. "It has added some great energy and real enthusiasm."

The initial list of JUGs participating in the Adopt-a-JSR program included SouJava in Brazil, GoJava (Brazil), Houston JUG (US), and Chennai JUG (China). That list now reportedly comprises 20 JUGs, including Belgium JUG, Campinas JUG, CEJUG, Cologne JUG, Congo JUG, Faso JUG, Guadalajara JUG, Hyderabad JUG, Indonesia JUG, Istanbul JUG, Joglo Semar JUG, Jozi JUG, LJC, Madrid JUG, MBale JUG, Morocco JUG, Peru JUG, Silicon Valley JUG, and Toronto JUG.

Participants engage with the program on three levels: Starter, Intermediate, and Advanced (details here).

The JUG members contributed to many of the signature changes coming in Java SE 8, including JSR 335 (Lambda Expressions for the Java Programming Language), and JSR 310 (the new Date and Time API). The latter effort was led by LJC members James Gough and Richard Warburton.

JUGs have long been a valuable community resource for Java professionals. These volunteer organizations create opportunities to share information and to network, in person, with other Java practitioners. Most groups have some kind of Web presence, and there are some virtual groups out there.

Oracle also sponsors an Adopt OpenJDK program, which was launched in 2012. It has the same goals as Adopt-a-JSR, but focused on the open-source Java reference implementation. The program currently has 147 participants, and is administered by the LJC's Verburg.

Of course, the final release of Java SE 8 on March 18 doesn't end the Adopt-a-JSR program. For more information on how to get involved in work already under way for Java SE 9, go here.

Posted by John K. Waters on 03/12/2014 at 12:28 PM0 comments

Report: It's Time To Include Localizers on the Agile Team

There was a time when enterprise application development teams simple threw their code over the wall to the people charged with the task of localizing it. Those days are fading, of course; software developers in medium to large companies have been generating ever greater percentages of their organizations' revenues outside the West for the past decade. And the pressure to "go global" faster is ever increasing.

Consequently, say the industry watchers at the Cambridge, Mass.-based research firm Common Sense Advisory, it's time for the team responsible for adapting U.S.-made software to other languages and cultures (a process called localization) to join the Agile team.

"Agile goes so fast that the other teams supporting it have had to get much closer together," said Director of the Global Leaders Service Rebecca Ray. "Testing, documentation, even the marketing people -- everyone needs to get together. And the localization team needs to work closer with the app dev team, too."

Ray recently co-authored a research report ("Localization at the Speed of Agile: Best Practices for Making the Transition") with her firm's founder and chief strategist, Donald A. De Palma. The report looked at the unique challenges associated with implementing Agile localization through interviews with 21 companies that develop software and faced this challenge.

"Agile is the gateway to integrating internationalization and localization as they were meant to be in the software development process," the authors wrote. "No localization team should pass up the chance to make it happen."

You'd think the spread of lightweight development methodologies among app dev teams would offer a nice solution to this "go global" challenge, but Agile is not a natural fit with traditional localization processes, Ray said.

"Agile is really a different way of developing software," she explained. "It's much more circular than linear, so it basically breaks the more linear processes that have been used for localization in the past. It's a huge change for localization teams."

Yet it's a change that must be made, Ray said. The localization team must become a part of the Agile team from the beginning of a project. If you don't want it to break your software, "localization" must become part of the "definition of done."

"Make sure that you talk to the localization people up front, during design," she said. "When you put together your users stories, the localization people should be in that group. The definition of done has to include localization."

During their research, Ray and De Palma found three common strategies among the companies interviewed for "syncing up" localization teams and developers: 1) "lag one sprint behind developers," which allows localizers to test features that may not be finished until the last minute in the previous sprint; 2) "stay current with each drop," which requires a high degree of automation, especially if sprints occur every two weeks or less; and 3) "sync up when most of the user interface (UI) work is complete," which allows the localization team to avoid the huge churn in features that usually happens within the first few weeks after development begins.

The report emphasizes the importance of automation to the success of an Agile localization effort. "Things have to be automated enough so that the translation management software can be connected directly into the source code repositories," Ray said. "That way, the software can just pick up whatever strings have changed and shoot them off to the translation/localization provider."

Also, the integration of localization with Agile doesn't have to be an all-or-nothing proposition, the researchers suggested. "There are certain things you must get right and places where you have to align or integrate localization with product development processes," they wrote. "However, you don't need to attend every single Scrum, translate every iteration of every string, or deliver 100% human translation for all sprints. If you spend too much time creating a perfectly Agile process, you will likely lose much of the adaptability and flexibility that comes with the model."

The reprioritization of localization from a last-minute consideration mirrors in some ways the status evolution of software testing from the ugly stepchild of the software development process. Proper localization can be a matter of life-and-death when it involves medical devices or automotive applications.

"I want to be sure that the doctor in Turkey can read my MRI output," Ray said. "And when my Toyota Prius arrives, it better speak English to me, and it better speak it well. There can't be any mistakes in that dashboard."

"People should keep in mind that this should not be painful," she added. "It should just be, this is another business process, and here's what we need to do."

An extract from the report is available on the Common Sense Advisory Web site.

Posted by John K. Waters on 03/07/2014 at 9:53 AM0 comments

Colbert at RSA: When Smart Equals Funny

I've been covering tech trade shows and user conferences for more than two decades, and last week's RSA conference was the first in my experience to include a comedic keynoter who actually understood the technology and the issues surrounding it. Stephen Colbert, host of Comedy Central's "The Colbert Report," gave the conference closer in San Francisco on Friday to a packed house, and killed.

"RSA developed this conference in 1991 as a forum for cryptographers to gather and talk shop," Colbert said, "and I assume breed with one another. Of course officially that's called exchanging private keys."

Colbert kidded conference organizers for booking FBI director James Comey as a speaker, and noted the director's comment that "At our best, we are looking for security measures that enhance liberty."

"Well said director," Colbert said. "I'm sure that under enhanced liberty you can have all the privacy that you want-just like under enhanced interrogation you can breathe all the water you want."

He also dinged Scott Charney, head of Microsoft's Trustworthy Computing group, who also spoke.

"Not everyone can book a speaker from an Orwellian dystopia," he said. "I look forward to next year's speech from the executive director of Sweet Dreams Euthanasia Clinic, Incorporated."

Colbert laid into NSA leaker and conference buzz hog Edward Snowden during his talk, calling him "practically a war criminal" for taking top secret U.S. intelligence to China and then to Russia. "Was Mordor not accepting asylum requests?" he asked. (He's a known hardcore Tolkien fan.)

He also had a few choice words for the NSA: "We can trust the NSA," he said, "because without a doubt it is history's most powerful, pervasive, sophisticated surveillance agency ever to be totally pwned by a 29-year-old with a thumb drive."

Colbert addressed the boycott of the conference this year by 13 digital security experts, who canceled their talks after Reuters reported that RSA, the conference organizer and chief sponsor, had a $10 million contract with the NSA to set as the default in their encryption products a flawed formula for generating random numbers, which effectively created a back door.

Activists from Fight for the Future appealed to Colbert to join their boycott in an open letter, which read in part: "We know you, Stephen, and we know you love a good 'backdoor' joke as much as we do-but this kind of backdoor is no laughing matter...We want to hear your speech, but give it somewhere else!"

"The elephant in the room is that I was asked not to come [and] speak here," Colbert told his audience. "That came as something of a shock to me. Normally I'm asked not to be somewhere only after I've spoken."

"I looked at the signatures on the online petition," he added. "Then I looked at the signature-my signature-on the bottom of the contract saying I'd be here today, and my conscience was clear, as long as the check clears...Well, it's not actually a check. They gave me a bitcoin voucher from Mt. Gox, and I'm sure it's going to be fine."

At one point, Colbert offered a kind of acknowledgment of the American people for their support of the NSA's programs.

"We all deserve credit for this new surveillance state that we live in," he said, "because we the people voted for the Patriot Act. Democrats and Republicans alike. We voted for the people who voted for it, and then voted for the people who reauthorized it, then voted for the people who re-re-authorized it."

Colbert also pitched his own data security venture, CloudFog. "We take a novel horizontal approach to vertical socket encryption," he said. "The result can only be described as diagonal."

Here in Silicon Valley, smart often equals rich. I'm glad to see it sometimes equals funny.

Posted by John K. Waters on 03/03/2014 at 3:27 PM0 comments

Upcoming Events


Sign up for our newsletter.

I agree to this site's Privacy Policy.